<!DOCTYPE html>
<html lang="en">
<head>

    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />

    <title>The Gafgyt variant vbot seen in its 31 campaigns</title>
    <meta name="HandheldFriendly" content="True" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />

    <link rel="stylesheet" type="text/css" href="/assets/built/screen.css?v=db215a41fd" />

    <link rel="shortcut icon" href="/favicon.png" type="image/png" />
    <link rel="canonical" href="https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/" />
    <meta name="referrer" content="no-referrer-when-downgrade" />
    <link rel="amphtml" href="https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/amp/" />
    
    <meta property="og:site_name" content="360 Netlab Blog - Network Security Research Lab at 360" />
    <meta property="og:type" content="article" />
    <meta property="og:title" content="The Gafgyt variant vbot seen in its 31 campaigns" />
    <meta property="og:description" content="Overview
Gafgyt botnets have a long history of infecting Linux devices to launch DDoS
attacks. While dozens of variants have been detected, new variants are
constantly emerging with changes in terms of register message, exploits, and
attacking methods. On the other hand, their new botnets are usually short lived,
with most of the C2s watched keeping active for only a few days. In this blog, I
will introduce such a sort of variant. The key findings are as follow:

 1. This variant was active from" />
    <meta property="og:url" content="https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/" />
    <meta property="article:published_time" content="2020-07-06T08:13:49.000Z" />
    <meta property="article:modified_time" content="2020-07-06T08:14:05.000Z" />
    <meta name="twitter:card" content="summary" />
    <meta name="twitter:title" content="The Gafgyt variant vbot seen in its 31 campaigns" />
    <meta name="twitter:description" content="Overview
Gafgyt botnets have a long history of infecting Linux devices to launch DDoS
attacks. While dozens of variants have been detected, new variants are
constantly emerging with changes in terms of register message, exploits, and
attacking methods. On the other hand, their new botnets are usually short lived,
with most of the C2s watched keeping active for only a few days. In this blog, I
will introduce such a sort of variant. The key findings are as follow:

 1. This variant was active from" />
    <meta name="twitter:url" content="https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/" />
    <meta name="twitter:label1" content="Written by" />
    <meta name="twitter:data1" content="LIU Ya" />
    <meta name="twitter:site" content="@360Netlab" />
    <meta name="twitter:creator" content="@liuya0904" />
    
    <script type="application/ld+json">
{
    "@context": "https://schema.org",
    "@type": "Article",
    "publisher": {
        "@type": "Organization",
        "name": "360 Netlab Blog - Network Security Research Lab at 360",
        "logo": "https://blog.netlab.360.com/content/images/2019/02/netlab-brand-5.png"
    },
    "author": {
        "@type": "Person",
        "name": "LIU Ya",
        "url": "https://blog.netlab.360.com/author/liu/",
        "sameAs": [
            "https://twitter.com/liuya0904"
        ]
    },
    "headline": "The Gafgyt variant vbot seen in its 31 campaigns",
    "url": "https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/",
    "datePublished": "2020-07-06T08:13:49.000Z",
    "dateModified": "2020-07-06T08:14:05.000Z",
    "description": "Overview\nGafgyt botnets have a long history of infecting Linux devices to launch DDoS\nattacks. While dozens of variants have been detected, new variants are\nconstantly emerging with changes in terms of register message, exploits, and\nattacking methods. On the other hand, their new botnets are usually short lived,\nwith most of the C2s watched keeping active for only a few days. In this blog, I\nwill introduce such a sort of variant. The key findings are as follow:\n\n 1. This variant was active from",
    "mainEntityOfPage": {
        "@type": "WebPage",
        "@id": "https://blog.netlab.360.com/"
    }
}
    </script>

    <script src="/public/ghost-sdk.min.js?v=db215a41fd"></script>
<script>
ghost.init({
	clientId: "ghost-frontend",
	clientSecret: "2a7213b591a9"
});
</script>
    <meta name="generator" content="Ghost 2.13" />
    <link rel="alternate" type="application/rss+xml" title="360 Netlab Blog - Network Security Research Lab at 360" href="https://blog.netlab.360.com/rss/" />
    
<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-83587830-1', 'auto');
  ga('send', 'pageview');

</script>

<!-- Fix first paragraph font size -->
<style type="text/css">
 .post-template .post-content > p:first-child {font-size: 1em;}
</style>

</head>
<body class="post-template">

    <div class="site-wrapper">

             <header
    class="site-header outer">
    <div class="inner">
        <nav class="site-nav">
    <div class="site-nav-left">
                <a class="site-nav-logo" href="https://blog.netlab.360.com"><img src="https://blog.netlab.360.com/content/images/2019/02/netlab-brand-5.png" alt="360 Netlab Blog - Network Security Research Lab at 360" /></a>
            <ul class="nav" role="menu">
    <li class="nav-botnet" role="menuitem"><a href="https://blog.netlab.360.com/tag/botnet/">Botnet</a></li>
    <li class="nav-dnsmon" role="menuitem"><a href="https://blog.netlab.360.com/tag/dnsmon/">DNSMon</a></li>
    <li class="nav-ddos" role="menuitem"><a href="https://blog.netlab.360.com/tag/ddos/">DDoS</a></li>
    <li class="nav-passivedns" role="menuitem"><a href="https://blog.netlab.360.com/tag/pdns/">PassiveDNS</a></li>
    <li class="nav-marai" role="menuitem"><a href="https://blog.netlab.360.com/tag/mirai/">Marai</a></li>
    <li class="nav-dta" role="menuitem"><a href="https://blog.netlab.360.com/tag/dta/">DTA</a></li>
</ul>

    </div>
    <div class="site-nav-right">
        <div class="social-links">
                <a class="social-link social-link-tw" href="https://twitter.com/360Netlab" title="Twitter" target="_blank" rel="noopener"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M30.063 7.313c-.813 1.125-1.75 2.125-2.875 2.938v.75c0 1.563-.188 3.125-.688 4.625a15.088 15.088 0 0 1-2.063 4.438c-.875 1.438-2 2.688-3.25 3.813a15.015 15.015 0 0 1-4.625 2.563c-1.813.688-3.75 1-5.75 1-3.25 0-6.188-.875-8.875-2.625.438.063.875.125 1.375.125 2.688 0 5.063-.875 7.188-2.5-1.25 0-2.375-.375-3.375-1.125s-1.688-1.688-2.063-2.875c.438.063.813.125 1.125.125.5 0 1-.063 1.5-.25-1.313-.25-2.438-.938-3.313-1.938a5.673 5.673 0 0 1-1.313-3.688v-.063c.813.438 1.688.688 2.625.688a5.228 5.228 0 0 1-1.875-2c-.5-.875-.688-1.813-.688-2.75 0-1.063.25-2.063.75-2.938 1.438 1.75 3.188 3.188 5.25 4.25s4.313 1.688 6.688 1.813a5.579 5.579 0 0 1 1.5-5.438c1.125-1.125 2.5-1.688 4.125-1.688s3.063.625 4.188 1.813a11.48 11.48 0 0 0 3.688-1.375c-.438 1.375-1.313 2.438-2.563 3.188 1.125-.125 2.188-.438 3.313-.875z"/></svg>
</a>
        </div>
            <a class="rss-button" href="https://feedly.com/i/subscription/feed/https://blog.netlab.360.com/rss/" title="RSS" target="_blank" rel="noopener"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><circle cx="6.18" cy="17.82" r="2.18"/><path d="M4 4.44v2.83c7.03 0 12.73 5.7 12.73 12.73h2.83c0-8.59-6.97-15.56-15.56-15.56zm0 5.66v2.83c3.9 0 7.07 3.17 7.07 7.07h2.83c0-5.47-4.43-9.9-9.9-9.9z"/></svg>
</a>
    </div>
</nav>
    </div>
    </header>


    <main id="site-main" class="site-main outer">
        <div class="inner">

            <article class="post-full post no-image">

                <header class="post-full-header">
                    <section class="post-full-meta">
                        <time class="post-full-meta-date" datetime="2020-07-06">6 July                            2020</time>
                    </section>
                    <h1 class="post-full-title">The Gafgyt variant vbot seen in its 31 campaigns</h1>
                </header>


                <section class="post-full-content">
                    <div class="post-content">
                        <h2 id="overview">Overview</h2>
<p>Gafgyt botnets have a long history of infecting Linux devices to launch DDoS attacks. While dozens of variants have been detected, new variants are constantly emerging with changes in terms of register message, exploits, and attacking methods. On the other hand, their new botnets are usually short lived, with most of the C2s watched keeping active for only a few days. In this blog, I will introduce such a sort of variant. The key findings are as follow:</p>
<ol>
<li>This variant was active from mid-April to mid-June. In total 31 campaigns for this variant were detected, from which 572 samples were captured. They were spread to build 19 botnets.</li>
<li>This variant evolved through 2 versions. Both have a characteristic register message template “ver:%f:%s:%d” that includes a rarely seen format specifier “%f”.</li>
<li>Mirai code was heavily used in both versions, which makes it possible analyze them with the extracted Mirai configurations.</li>
<li>The same infrastructures, e.g., download servers, and filenames were observed being used in other families of botnet campaigns.<br>
This variant was named as vbot because vbot is found being used in an unstripped sample by the author. Accordingly the 2 versions are named as vbot1 and vbot2 in this blog.</li>
</ol>
<h2 id="vbot1">vbot1</h2>
<p>Only 1 vbot1 campaign was seen, with 26 samples captured, as shown by the following honeypot records.</p>
<p><img src="https://blog.netlab.360.com/content/images/2020/07/fig1.png" alt="fig1"></p>
<p>All samples share the same C2 <code>185.225.19.200:2017</code>. Since in Gafgyt it’s common that the same source code will be compiled into binaries for different processor architectures, for simplicity, the following analysis is based on the unstripped ARM sample of <code>f696375452d08eecbde14d64c74acdde</code>. Compared with previous variants, vbot1 has a more concise main() function because most of its code was moved into 2 new functions named init_vbot() and main_c2_handler().<br>
<img src="https://blog.netlab.360.com/content/images/2020/07/fig3.png" alt="fig3"><br>
The function name init_vbot indicates that the author code named their botnet as vbot. It's responsible for initializing things including watchdog, configurations, and scanner. C2 communications are done in main_c2_handler(), where a loop of connection, registration and receiving command can be found, as shown below.</p>
<p><img src="https://blog.netlab.360.com/content/images/2020/07/fig4.png" alt="fig4"></p>
<p>The characteristic register message template <code>“ver:%f:%s:%d”</code> is used in the registration block that tightly follows the connection block. From the unstripped symbols we can show that the 3 specifiers separately represent version, bot type and arch. The analyzed sample has version of 4.1.<br>
Actually it’s just the rarely seen specifier <code>“%f”</code> that caused my attention to this variant because as far as I knew “%f” was not supported by Gafgyt. The original authors borrowed the design of C library functions <code>printf</code> and <code>sprintf</code>, and implemented a new function named <code>sockprintf</code> which can generate message according to the assigned string format and send it to the C2. A custom yet simple format controls is done inside sockprintf with “%f” not implemented. That function has been kept by most Gafgyt variants. When firstly encountering vbot’s register template, I imagined a new version of sockprintf. However, that’s obviously not true. To reuse sockprintf but avoid complex programming, vbot author turned to sprintf to generate the expected message then passed it to sockprintf with the supported specifier <code>“%s”</code>.<br>
Similar to many Gafgyt variants, Mirai code can be found in vbot1. Due to its tight connection with the encrypted configurations, the borrowed code can be well analyzed with the extracted configurations. If you don’t know how to extract, please go to our VB2018 <a href="https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Liu-Wang.pdf">paper</a>. The extracted configurations are shown below, with items annotated with its owner modules.<br>
<img src="https://blog.netlab.360.com/content/images/2020/07/fig5.png" alt="fig5"><br>
The commands are hidden in configurations. Except for attacking methods, vbot1 also supports remote update with the command <code>UPDATE</code>. Another worth mentioning feature is persistence mechanism, which is done by modifying crontab.</p>
<p>It’s strange that vbot1 was spread only once. After its campaign was firstly detected, 35 hours, or 1.5 days, later the first vbot2 campaign was seen from the same download server. Obviously the operators wanted to replace vbot1 with vbot2. The reason might be its buggy registration which always sends a 191-byte register message back to its C2 but only 18 bytes there are really useful, as shown by the following figure.</p>
<p><img src="https://blog.netlab.360.com/content/images/2020/07/fig2.png" alt="fig2"></p>
<h2 id="vbot2">vbot2</h2>
<p>In total 30 vbot2 campaigns were seen from April 16 to June 12, 2020, with 546 samples captured from 12 download servers. From those samples 13 C2 servers were checked. Detailed analysis shows except the registration code, vbot2 actually differs a lot from vbot1 in terms of code structure, attacking methods and Mirai configuration. The following analysis is based on the x86 sample <code>f5b0ebebc924e69e34a4ddd145916594</code>. It’s stripped but key function names have been manually restored.<br>
Different from vbot1 but similar to many other variants, vbot2's C2 communications are done in main(), as shown below.</p>
<p><img src="https://blog.netlab.360.com/content/images/2020/07/fig6.png" alt="fig6"></p>
<p>Nearly the same registration block as vbot1 can be found, with the 3 specifiers holding the same semantics. The analyzed sample has version of 1.5. The loop composed of “loc_804B80B -&gt; REGISTRATION -&gt; loc_804B863” is very similar to previous Gafgyt variants in terms of CFG node number and semantics. The blocks are separately responsible for establishing connection, registration, and receiving commands.<br>
5 attacking methods were checked. All of them have been seen in other variants.</p>
<p><img src="https://blog.netlab.360.com/content/images/2020/07/fig7.png" alt="fig7"></p>
<p>Some vbot2 samples, e.g., <code>e36d96a74236038a348cfd667ca83528</code>, have slightly different attacking method names, as shown below.</p>
<p><img src="https://blog.netlab.360.com/content/images/2020/07/fig8.png" alt="fig8"></p>
<p>2 Mirai configurations were found. The only difference lies in the 0x28 item, as shown by the following 2 figures.</p>
<p><img src="https://blog.netlab.360.com/content/images/2020/07/fig9-1.png" alt="fig9-1"><br>
<img src="https://blog.netlab.360.com/content/images/2020/07/fig10.png" alt="fig10"></p>
<p>From the annotations we can see the Mirai code was mainly used in modules of watchdog, killer, scanner and rand alpha string generation. Since the 0x28 item corresponds to a message to be written to the STDOUT, and the second unprintable 0x28 item is probably caused by a typo from the author.<br>
With the extracted configurations the differences from vbot1 are obvious. They are:</p>
<ol>
<li>vbot2 has different attacking methods from vbot1.</li>
<li>While vbot1 hides commands in its configuration, vbot2 directly uses them.</li>
<li>No remote update and persistence mechanism were found in vbot2.</li>
</ol>
<p>Although those great differences suggest that vbot1 and vbot2 were actually derived from different code bases, I still think they were written by the same author(s) because:</p>
<ol>
<li>The shared register message template and registration implementation are unique enough.</li>
<li>The first vbot2 campaign shared the same download and C2 server as vbot1 within a relatively short period of time (1.5 days).</li>
</ol>
<h2 id="vbotandtherhombusmalware">vbot and the RHOMBUS malware</h2>
<p>While the filename RHOMBUS was seen 4 times in vbot campaigns, its use in Gafgyt campaigns was much earlier<a href="https://twitter.com/_odisseus/status/1232957932121313281">[1]</a>, with the variant called RHOMBUS analysed in <a href="https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/">[2]</a><a href="https://blog.apnic.net/2020/05/22/rhombus-a-new-iot-malware/">[3]</a>. Here I make a simple comparison. In the blogged RHOMBUS malware dropper mechanism was found, with the dropper having the persistence ability across restart by modifying crontab. The dropped binaries, e.g., <code>269029c1554b13c3eccfaacf0196ff72</code> and <code>ba42665872ea41e3d2edd8978bc38c24</code>, actually belong to another Gafgyt variant that also heavily borrowed code from Mirai, as shown by the below figure.<br>
<img src="https://blog.netlab.360.com/content/images/2020/07/fig11.png" alt="fig11"><br>
From the above configuration we can see that obvious similarities exist between the RHOMBUS dropped binaries and vbot1. I think the most possibility is that vbot1 evolved from RHOMBUS malware with the following modifications:</p>
<ol>
<li>The dropper’s persistence mechanism was grafted to its payload. That’s why persistence items could be found in vbot1 configuration but not in the above figure.</li>
<li>The register template was updated.</li>
<li>c2 communications were moved to the so called main_c2_handler() function.</li>
</ol>
<p>Other key points about RHOMBUS malware include:</p>
<ol>
<li>The register message template is &quot;jm:_:%d&quot; or jm:%s:%d.</li>
<li>Similar to many Gafgyt variants, C2 communications were done in main().</li>
<li>The Gafgyt characteristic function initConnection() was removed with its code broken down into snippets that can be found in main().</li>
</ol>
<h2 id="conclusion">Conclusion</h2>
<p>I have introduced a short lived Gafgyt variant vbot. During its 2 month life, 31 campaigns were seen to build 19 botnets. From vbot we can learn that it’s easy for Linux IoT botnet authors to quickly write new variants, which might be due to the fact that dozens of Gafgyt and Mirai source has been leaked online. Once a new variant is written, the behind operators usually will spread it over and over with different campaigns to build multiple botnets. Such patterns have also been observed in other variants and families, e.g., Mirai. To fight such sort of fast emerging while short living botnets, automatic IoC extraction would play an import role for quick blocking or tracking. In VB2020 conference to be held in October, I will give a <a href="https://www.virusbulletin.com/conference/vb2020/abstracts/lightweight-emulation-based-ioc-extraction-gafgyt-botnets">talk</a> on that topic. I hope it will help you fight against Gafgyt botnets better.</p>
<h2 id="ioc">IoC</h2>
<h3 id="downloadservers">download servers</h3>
<pre><code>104.244.75.12
142.11.194.209
185.172.110.248
185.172.110.249
185.225.19.200
192.119.66.66
192.129.188.98
205.185.123.101
23.254.164.76
45.84.196.148
50.115.173.131
85.92.108.211
</code></pre>
<h3 id="vbot1md5">vbot1 MD5</h3>
<pre><code>2a141cd2930536f74f51fb57adbb0236
8717baf17660d8e96813ccd99f32c0be
cc559b487e1ec18727f37006bd3395e0
f666c3398601cd1b017f8d4556cabbbc
6fb6aaa253c165636ee63a4fdcdb1b9e
f422707ac869240bfeea648b6f9b90ad
36997fd129a5ff09311da94c3814379c
790ae71c097662bf6efba92d2d633076
e420df68941cc7ce2d8dd4ba92fd360e
3e36440871a6e39ee87e6d7d1a42155a
ae50829a02e5265c590f2fff35e64c52
09ab7435c76df627a813fb75db15ce5d
43ee98318945a475b555045aed4f0e01
e4db8addb5123021e358576157e5e1c0
4147fb0fe442173558f86fe37728ecae
846d6ad9ea86e331f2e071eac6a269de
40b1bf1e415ae508f8a5b831c2f4e994
f696375452d08eecbde14d64c74acdde
98b07b087b98b8d679c9938b16ae4df3
aea960687f0e43b465198be7ffafcf82
3d596d37fe6536a2c759923d920f3e08
52c462f3b22646774219f91bfb44ae66
d2c273e758fd4ac2759ca1d63aafcf6c
bbee73ed05730ad95df7a77241207ea5
0f492673eb249fa1209512575040f62d
0e59d4a40bba390314ffa0713b18441c
</code></pre>
<h3 id="vbot1c2">vbot1 C2</h3>
<pre><code>185.225.19.200 -port 2017
</code></pre>
<h3 id="vbot2md5">vbot2 MD5</h3>
<pre><code>efabd7e734490b9ad12812982347f237
614581bba324c3550a18268a8cb9c221
86310b514c55d31db288a2bb2c1e6114
76d9c69036f1eaac8f7a90eba3a36bfc
e36d96a74236038a348cfd667ca83528
d45da804fd35cf502bf942ebfeb64064
90a633f30bdbb2b80642bb229d1605d1
c4391301645cc9df4da3657f4c88f7dc
8bef47e420d0cdf8d0ee69a5d1f5b74c
4c8cdcbaf16f39a461b0bf7052fe1ec3
d936a9226fbbe97993bbe604c8cd5458
125b99cc79808679a7461f1841fd80a5
3b7da3d39db6ec08373c1e4af79aff85
23f764f5f918746b9ffff952dd25cc21
6f24268273573fd5f07cacb00031f1a0
ecae928b4e4093489bd221986da39aba
d883d5a2bedf0c3a3da79358c06fa429
3e26626d4563f3199fde498d0ff9fe32
11c1d777b18ffc0f23d2435fdb4645dc
...
</code></pre>
<h3 id="vbot2c2">vbot2 C2</h3>
<pre><code>104.244.75.12_666
142.11.194.209_1337
142.11.194.209_17911
142.11.194.209_34
142.11.194.209_44
184.172.110.248_666
184.172.110.249_666
185.172.110.248_323
185.172.110.248_666
185.225.19.200_666
192.119.66.66_7331
192.129.188.98_323
205.185.123.101_666
23.254.164.76_107
23.254.164.76_33
23.254.164.76_89
45.84.196.148_1227
50.115.173.131_111
85.92.108.211_1447
</code></pre>

                    </div>
                </section>


                <footer class="post-full-footer">


                    
<section class="author-card">
        <span class="avatar-wrapper"><svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><g fill="none" fill-rule="evenodd"><path d="M3.513 18.998C4.749 15.504 8.082 13 12 13s7.251 2.504 8.487 5.998C18.47 21.442 15.417 23 12 23s-6.47-1.558-8.487-4.002zM12 12c2.21 0 4-2.79 4-5s-1.79-4-4-4-4 1.79-4 4 1.79 5 4 5z" fill="#FFF"/></g></svg>
</span>
    <section class="author-card-content">
        <h4 class="author-card-name"><a href="/author/liu/">LIU Ya</a></h4>
            <p>Read <a href="/author/liu/">more posts</a> by this author.</p>
    </section>
</section>
<div class="post-full-footer-right">
    <a class="author-card-button" href="/author/liu/">Read More</a>
</div>


                </footer>

                <div id="disqus_thread"></div>
                <script>
                    var disqus_config = function () {
                        this.page.url = "https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/";
                        this.page.identifier = "ghost-5eff1de87646030007b27fb6"
                    };
                    (function () {
                        var d = document, s = d.createElement('script');
                        s.src = 'https://blog-netlab-360.disqus.com/embed.js';
                        s.setAttribute('data-timestamp', +new Date());
                        (d.head || d.body).appendChild(s);
                    })();
                </script>

            </article>

        </div>
    </main>

    <aside class="read-next outer">
        <div class="inner">
            <div class="read-next-feed">

                <article class="post-card post tag-0-day tag-botnet tag-ddos no-image">


    <div class="post-card-content">

        <a class="post-card-content-link" href="/moobot/">

            <header class="post-card-header">
                    <span class="post-card-tags">0-day</span>
                <h2 class="post-card-title">那些年我们一起追过的僵尸网络之Moobot</h2>
            </header>

            <section class="post-card-excerpt">
                <p>Moobot是一个基于mirai开发的僵尸网络,样本通过Telnet弱口令和利用nday,0day漏洞传播</p>
            </section>

        </a>

        <footer class="post-card-meta">

            <ul class="author-list">
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Hui Wang
                    </div>

                        <a href="/author/huiwang/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/05/WechatIMG1.jpeg" alt="Hui Wang" />
                        </a>
                </li>
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Alex.Turing
                    </div>

                        <a href="/author/alex/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2019/06/turing.PNG" alt="Alex.Turing" />
                        </a>
                </li>
            </ul>

            <span class="reading-time">6 min read</span>

        </footer>

    </div>

</article>

                <article class="post-card post tag-dnsmon tag-pdns tag-ntp-2 no-image">


    <div class="post-card-content">

        <a class="post-card-content-link" href="/look-at-ntp-pool-using-dns-data_en/">

            <header class="post-card-header">
                    <span class="post-card-tags">DNSMon</span>
                <h2 class="post-card-title">Look at NTP pool using DNS data</h2>
            </header>

            <section class="post-card-excerpt">
                <p>With the rapid development of the Internet, more and more people have realized the importance of network infrastructure.  We don’t hear people talk about NTP ( Network Time Protocol) much though.Whether NTP</p>
            </section>

        </a>

        <footer class="post-card-meta">

            <ul class="author-list">
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Zhang Zaifeng
                    </div>

                        <a href="/author/zhangzaifeng-2/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2016/09/ant.jpg" alt="Zhang Zaifeng" />
                        </a>
                </li>
            </ul>

            <span class="reading-time">8 min read</span>

        </footer>

    </div>

</article>

            </div>
        </div>
    </aside>

    <div class="floating-header">
    <div class="floating-header-logo">
        <a href="https://blog.netlab.360.com">
                <img src="https://blog.netlab.360.com/content/images/size/w30/2019/02/netlab_xs-2.png" alt="360 Netlab Blog - Network Security Research Lab at 360 icon" />
            <span>360 Netlab Blog - Network Security Research Lab at 360</span>
        </a>
    </div>
    <span class="floating-header-divider">&mdash;</span>
    <div class="floating-header-title">The Gafgyt variant vbot seen in its 31 campaigns</div>
    <div class="floating-header-share">
        <div class="floating-header-share-label">Share this <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
    <path d="M7.5 15.5V4a1.5 1.5 0 1 1 3 0v4.5h2a1 1 0 0 1 1 1h2a1 1 0 0 1 1 1H18a1.5 1.5 0 0 1 1.5 1.5v3.099c0 .929-.13 1.854-.385 2.748L17.5 23.5h-9c-1.5-2-5.417-8.673-5.417-8.673a1.2 1.2 0 0 1 1.76-1.605L7.5 15.5zm6-6v2m-3-3.5v3.5m6-1v2"/>
</svg>
</div>
        <a class="floating-header-share-tw" href="https://twitter.com/share?text=The%20Gafgyt%20variant%20vbot%20seen%20in%20its%2031%20campaigns&amp;url=https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/"
            onclick="window.open(this.href, 'share-twitter', 'width=550,height=235');return false;">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M30.063 7.313c-.813 1.125-1.75 2.125-2.875 2.938v.75c0 1.563-.188 3.125-.688 4.625a15.088 15.088 0 0 1-2.063 4.438c-.875 1.438-2 2.688-3.25 3.813a15.015 15.015 0 0 1-4.625 2.563c-1.813.688-3.75 1-5.75 1-3.25 0-6.188-.875-8.875-2.625.438.063.875.125 1.375.125 2.688 0 5.063-.875 7.188-2.5-1.25 0-2.375-.375-3.375-1.125s-1.688-1.688-2.063-2.875c.438.063.813.125 1.125.125.5 0 1-.063 1.5-.25-1.313-.25-2.438-.938-3.313-1.938a5.673 5.673 0 0 1-1.313-3.688v-.063c.813.438 1.688.688 2.625.688a5.228 5.228 0 0 1-1.875-2c-.5-.875-.688-1.813-.688-2.75 0-1.063.25-2.063.75-2.938 1.438 1.75 3.188 3.188 5.25 4.25s4.313 1.688 6.688 1.813a5.579 5.579 0 0 1 1.5-5.438c1.125-1.125 2.5-1.688 4.125-1.688s3.063.625 4.188 1.813a11.48 11.48 0 0 0 3.688-1.375c-.438 1.375-1.313 2.438-2.563 3.188 1.125-.125 2.188-.438 3.313-.875z"/></svg>
        </a>
        <a class="floating-header-share-fb" href="https://www.facebook.com/sharer/sharer.php?u=https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/"
            onclick="window.open(this.href, 'share-facebook','width=580,height=296');return false;">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M19 6h5V0h-5c-3.86 0-7 3.14-7 7v3H8v6h4v16h6V16h5l1-6h-6V7c0-.542.458-1 1-1z"/></svg>
        </a>
    </div>
    <progress id="reading-progress" class="progress" value="0">
        <div class="progress-container">
            <span class="progress-bar"></span>
        </div>
    </progress>
</div>




        <footer class="site-footer outer">
            <div class="site-footer-content inner">
                <section class="copyright"><a href="https://blog.netlab.360.com">360 Netlab Blog - Network Security Research Lab at 360</a> &copy; 2021</section>
                <nav class="site-footer-nav">
                    <a href="https://blog.netlab.360.com">Latest Posts</a>
                    
                    <a href="https://twitter.com/360Netlab" target="_blank" rel="noopener">Twitter</a>
                    <a href="https://ghost.org" target="_blank" rel="noopener">Ghost</a>
                </nav>
            </div>
        </footer>

    </div>


    <script>
        var images = document.querySelectorAll('.kg-gallery-image img');
        images.forEach(function (image) {
            var container = image.closest('.kg-gallery-image');
            var width = image.attributes.width.value;
            var height = image.attributes.height.value;
            var ratio = width / height;
            container.style.flex = ratio + ' 1 0%';
        })
    </script>


    <script
        src="https://code.jquery.com/jquery-3.2.1.min.js"
        integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
        crossorigin="anonymous">
    </script>
    <script type="text/javascript" src="/assets/built/jquery.fitvids.js?v=db215a41fd"></script>


        <script>

        // NOTE: Scroll performance is poor in Safari
        // - this appears to be due to the events firing much more slowly in Safari.
        //   Dropping the scroll event and using only a raf loop results in smoother
        //   scrolling but continuous processing even when not scrolling
        $(document).ready(function () {
            // Start fitVids
            var $postContent = $(".post-full-content");
            $postContent.fitVids();
            // End fitVids

            var progressBar = document.querySelector('#reading-progress');
            var header = document.querySelector('.floating-header');
            var title = document.querySelector('.post-full-title');

            var lastScrollY = window.scrollY;
            var lastWindowHeight = window.innerHeight;
            var lastDocumentHeight = $(document).height();
            var ticking = false;

            function onScroll() {
                lastScrollY = window.scrollY;
                requestTick();
            }

            function onResize() {
                lastWindowHeight = window.innerHeight;
                lastDocumentHeight = $(document).height();
                requestTick();
            }

            function requestTick() {
                if (!ticking) {
                    requestAnimationFrame(update);
                }
                ticking = true;
            }

            function update() {
                var trigger = title.getBoundingClientRect().top + window.scrollY;
                var triggerOffset = title.offsetHeight + 35;
                var progressMax = lastDocumentHeight - lastWindowHeight;

                // show/hide floating header
                if (lastScrollY >= trigger + triggerOffset) {
                    header.classList.add('floating-active');
                } else {
                    header.classList.remove('floating-active');
                }

                progressBar.setAttribute('max', progressMax);
                progressBar.setAttribute('value', lastScrollY);

                ticking = false;
            }

            window.addEventListener('scroll', onScroll, { passive: true });
            window.addEventListener('resize', onResize, false);

            update();

        });
    </script>


    

</body>
</html>
